PROPOSAL: The future of Sentinel in ALZ (following on from #1898)

[jtracey93]

Hello all, thanks for the replies and responses over in #1898

We have had some great insights, feedback and suggestions to the questions we posed. Below is a summary of those answers:

**Summary of answers in discussion thread, thanks to GitHub Copilot**

Summary of Answers to Each Question

1. Do we need a separate LAW dedicated to Sentinel?

• General Consensus: Most participants agree on the need for a separate LAW due to:
  • Cost concerns, particularly with double ingestion for operational and security logs.
  • Simplified access control and management for security teams.
  • Limiting the "blast radius" of potential issues, especially when workspace transformation DCRs are heavily used.
  • Ease of separating operational and security logs.

2. Do we need a separate “Security” platform Subscription?

• General Consensus: A separate subscription is seen as beneficial for:
  • Limiting the blast radius in case of issues.
  • Enabling easier separation of access between teams managing Sentinel and other resources.
  • Supporting the principle of least privilege.

3. Does this need to be in a separate “Security” Management Group?

• General Consensus: While a separate management group could be useful, it is not deemed necessary. RBAC is generally recommended at the subscription level rather than at the management group level.

4. Should ALZ deploy anything Sentinel related? Or should it just provide placement guidance and platform pre-requisites?

• General Consensus: The preference depends on the organization's needs:
  • Some suggest ALZ should deploy Sentinel-related resources (e.g., resource group and LAW) and leave the rest to the security team.
  • Others recommend ALZ provide guidance and platform pre-requisites only, allowing security teams to manage Sentinel independently.

What we propose going forward in ALZ in regards to Sentinel

1. A dedicated SIEM/Security subscription in a new Security, Management Group
2. This subscription will not have anything deployed into it and will be empty due to:
   • We do not want to trigger the Sentinel free trial earlier than you are ready
   • A lot of customers, partners, ISVs etc. have their own ways of deploying and managing their Sentinel deployments and therefore we don't want to get in the way of that and make onboarding to these ways harder post ALZ deployment.
     • We can always build some AVM modules to help deploy and manage the LAW and Sentinel onboarding and management aspects, if requested... https://aka.ms/avm/moduleproposal

Some notes on the proposal above

1. We will expect the subscription to be created outside of ALZ, e.g. via Subscription Vending or manually, so that when you deploy ALZ it already exists
   • We will then just move it to the Management, Management Group
2. We will update the ALZ diagram and Visio with these changes
3. We will update any ALZ MS Learn CAF Documentation relating to these Sentinel decisions for ALZ

So what do you think?

Let us know in the poll below and then we can move towards taking action on this 👍

And as always, if you feel we should be doing something different then please vote No and let us know in a comment what you would propose instead. We always want to hear your feedback 👂

[macko76]

I feel we ought to consider scenarios with or without Defender XDR and associated authorisation to be delivered to SOC teams. They are typically collaborating with 3rd party that need access usually to deploy / operate Azure logic apps. Clearly a separate subscription with SOC ownership is a better way.

[alphasteff]

Hi Jack

I agree with the described permissions topic. However, I would prefer a dedicated management group for security that is consistent with the other landing zones of the platform. A purpose-specific management group.

Greetings
Stefan

[grabiGX]

I would agree with Stefan here...

[jtracey93]

Okay we chatted today and we agreed to a dedicated management group beneath platform for Security

[alphasteff]

@jtracey93 That sounds great, thanks for the feedback.
Will this be included in the text of the
proposal?

[TrentSteenholdt-Insight]

Okay we chatted today and we agreed to a dedicated management group beneath platform for Security

You can't just make this change to the proposal and then expect a vote like the one above to be the same. My vote would change from a yes, to a no.

Adding management groups for the sake of some Azure Policy 'overzealousness' only makes the adoption of ALZ's like these harder for customers. You're doing yourselves a disservice by making it hard and fast that more management groups are the answer.

[jtracey93]

Hey @TrentSteenholdt-Insight, fair point.

However, we do already talk about doing this exact tailoring of the Management Group hierarchy in https://aka.ms/alz/tailoring so its not a new concept, just becoming more prominent based on customers feedback.

I'd love to understand more on your statement of "You're doing yourselves a disservice by making it hard and fast that more management groups are the answer." policy application and differences of archetypes are exactly a reason to have more management groups. Feel free to share some examples and specifics here if you can

Thanks

[jtracey93]

https://techcommunity.microsoft.com/blog/azuregovernanceandmanagementblog/a-new-platform-management-group--subscription-for-security-in-azure-landing-zone/4433287

Closing as work now in progress and live